MHS Blog Articles

WordPress - cPanel - SEO - Security

With more and more of our personal data being stored on our computers, giving thoughtful consideration to a password strategy can go a long way in preventing data from being compromised. The following tips are presented as a guide to assist you in password selection.

Password Do’s

At least eight characters long

A combination of upper and lower case letters, numbers, punctuation and other symbols

Quick to type, in case anyone is peering over your shoulder

Password Dont’s

Your first name, last name, or login name, in any form

Consecutive or repetitive numbers or letters

Adjacent keyboard letters such as qwerty or asdfghjk

Common and obvious letter-number replacements (e.g. replace the letter O with number 0)

Easily guessed personal information such as names and dates of yourself, family members, pets and close acquaintances

Easily obtained information, such as:

address

license plate numbers

telephone numbers

credit card or ATM numbers

Social Security or Social Insurance numbers

email addresses

Dictionary words, in any language, forward and backward

Popular book titles, movie titles, or phrases

Short passwords

Additional Tips

Never share your password with anyone. Protect all passwords as you would protect your bank PIN.

Never store passwords unencrypted on your computer. Password management software is great for managing many passwords, but take great care to protect access to your password database with a strong password, access card or USB key! (Or better, a combination of these).

In today’s busy world, convenience seems to outweigh consequence, especially with how people use their mobile devices.

Using free public Wi-Fi networks, for example, comes with any number of serious security risks, yet surveys show that the overwhelming majority of Americans do it anyway. In a study by privatewifi.com, a whopping three-quarters of people admitted to connecting to their personal email while on public Wi-Fi.

It isn’t hard to see that a few moments of online convenience are far outweighed by your money or financial information being stolen, or by suffering the embarrassment of your personal information being publicly released. According to a recent opinion poll, more people are leery of public Wi-Fi networks than of public toilet seats (a promising sign). But an interesting experiment, conducted at the 2016 Republican and Democratic National Conventions, showed attendees’ true colors. At each convention, private entities provided visitors with free public Wi-Fi networks (for social science purposes). Around 70% of people connected to the nonsecure Wi-Fi networks at both conferences.

Security consultants often find that sex can be an attention-grabbing metaphor to get a client’s attention. When we lecture businesspeople about cybersecurity, we compare the dangers of using public Wi-Fi to the risks of having unprotected sex. In both cases, not taking the necessary precautions can lead to lasting harm. For mobile devices, the harm is digital: the theft of your personal data, such as passwords, financial information, or private pictures or videos. You’re rolling the dice every time you log on to a free network in a coffee shop, hotel lobby, or airport lounge.

Think the problem is being exaggerated, or that cyber theft only happens to large corporations? Consider that over half of the adults in the U.S. have their personal information exposed to hackers each year. Furthermore, Verizon’s annual Data Breach Investigation Report has found that 89% of all cyber attacks involve financial or espionage motives.

There are dozens of online tutorials showing hackers how to compromise public Wi-Fi, some of them with millions of views. The most common method of attack is known as “Man in the Middle.” In this simple technique, traffic is intercepted between a user’s device and the destination by making the victim’s device think the hacker’s machine is the access point to the internet. A similar, albeit more sinister, method is called the “Evil Twin.” Here’s how it works: You log on to the free Wi-Fi in your hotel room, thinking you’re joining the hotel’s network. But somewhere nearby, a hacker is boosting a stronger Wi-Fi signal off of their laptop, tricking you into using it by labeling it with the hotel’s name. Trying to save a few bucks, and recognizing the name of the hotel, you innocently connect to the hacker’s network. As you surf the web or do your online banking, all your activity is being monitored by this stranger.

Still not convinced of the risks?

Here’s a story that should worry business travelers in particular. In 2014 experts from Kaspersky Lab uncovered a very sophisticated hacking campaign called “Dark Hotel.” Operating for more than seven years and believed to be a sophisticated economic espionage campaign by an unknown country, Dark Hotel targeted CEOs, government agencies, U.S. executives, NGOs, and other high-value targets while they were in Asia. When executives connected to their luxury hotel’s Wi-Fi network and downloaded what they believed were regular software updates, their devices were infected with malware. This malware could sit inactive and undetected for several months before being remotely accessed to obtain sensitive information on the device.

What is the best way to protect yourself against these kinds of Wi-Fi threats?

Although antivirus protection and firewalls are essential methods of cyber defense, they are useless against hackers on unsecured Wi-Fi networks. Consider the following seven security tips to keep prying eyes out of your devices:

Don’t use public Wi-Fi to shop online, log in to your financial institution, or access other sensitive sites — ever

Use a Virtual Private Network, or VPN, to create a network-within-a-network, keeping everything you do encrypted

Implement two-factor authentication when logging into sensitive sites, so even if malicious individuals have the passwords to your bank, social media, or email, they won’t be able to log in

Only visit websites with HTTPS encryption when in public places, as opposed to lesser-protected HTTP addresses

Turn off the automatic Wi-Fi connectivity feature on your phone, so it won’t automatically seek out hotspots

Monitor your Bluetooth connection when in public places to ensure others are not intercepting your transfer of data

Buy an unlimited data plan for your device and stop using public Wi-Fi altogether

The more you take your chances with a free network connection, the greater the likelihood that you will suffer some type of security breach. There is a saying in the cybersecurity industry that there are three types of people in the world: those who have been hacked, those who will be hacked, and those who are being hacked right now and just don’t know it yet. The better you protect yourself, the greater your chances of minimizing the potential damage. Remember: Falling victim to public Wi-Fi’s dangers is a question of when, not if.

Password Strength Tips:#1 Change your passwords regularly!

If you have a poor password your website is at risk! Spammers and Phishers constantly try to break into websites and email accounts that have poor passwords. Once in they use your website to host fake websites intended to deceive people into proving private information, or they use your website’s sendmail service to send spam from YOUR email address. The #1 way to protect yourself is YOUR PASSWORD. We encourage all users to follow this password strength tips and choose a difficult password using the following tips listed below.

MHS users have several passwords associated with their hosting account:

cPanel/FTP Login

Email Logins

Content Manager Logins (WordPress, Drupal etc..)

And some of these have multiple logins

Passwords aren’t suppose to be easy, they are intended to protect you, so don’t make it easy!

Our Best Password Strength Tips:

Use interspersed numbers – IE: use 0 instead of o (zero instead of the letter o)

Use characters such as !@#$%& – IE: use ! instead of i etc…

Passwords aren’t suppose to be easy, they are intended to protect you, so don’t make it easy.

Password Dont’s

Your first name, last name, or login name, in any form

Consecutive or repetitive numbers or letters

Adjacent keyboard letters such as qwerty or asdfghjk

Common and obvious letter-number replacements (e.g. replace the letter O with number 0)

Easily guessed personal information such as names and dates of yourself, family members, pets and close acquaintances

Easily obtained information, such as:

address

license plate numbers

telephone numbers

credit card or ATM numbers

Social Security or Social Insurance numbers

email addresses

Dictionary words, in any language, forward and backward

Popular book titles, movie titles, or phrases

Short passwords

Additional Password Strength Tips

Never share your password with anyone. Protect all passwords as you would protect your bank PIN.

Never store passwords unencrypted on your computer. Password management software is great for managing many passwords, but take great care to protect access to your password database with a strong password, access card or USB key! (Or better, a combination of these).

What is Phishing?

“Phishing” is when criminals use email, phone and online scams to purposefully and maliciously trick people into sharing information such as passwords, Social Security numbers, account and credit card details and even your mother’s maiden name! Phishing is Phraud and it is a crime.

Defend Yourself:

Educate yourself, your family, and if applicable, your co-workers, clients and business partners on what Information Theft is, and what you can do to protect yourself.

No legitimate business or government agency will ever ask for personal information via email or phone unless you initiate the contact. If you receive such a request, DON’T RESPOND.

Quick Facts:

According to a Federal Trade Commission report, Information Theft is the fastest growing crime in the United States. It occurs once every 79 seconds on average. In 2005, the cost to consumers was in excess of $5,000,000,000, while the cost to businesses was in excess of $47,000,000,000. The average consumer loss from a phishing attack is $1200.

According to a Symantec presentation, 1 out of every 125 emails sent is a phishing attack. In 2005, phishing attacks rose by 90%.

The Anti-Phishing Working Group reports that 5.7 billion phishing emails are sent each month, and that over 150,000 unique phishing attacks and 3,000 phishing websites are reported per month.

What information are Phishers after?

Phishers are interested in gathering information which, by nature, is private and/or confidential, especially if this information can help them steal your identity.

Information Theft targets a wide array of information, including, but not limited to:

Social Security Numbers.

Driver’s License Numbers.

Date and Place of Birth.

Mother’s Maiden Name.

Account Numbers.

PINs.

Usernames.

Passwords.

Personal Information.

Any confidential information that criminals can either directly use or resell.

Defend Yourself:

Do not disclose any personal information unless the requester has a valid need for the information.

Don’t hesitate to ask how your information is going to be protected.

Never agree to have your information shared or sold.

Remember: No legitimate business or government agency will ever ask for personal information via email or phone unless you initiate the contact. If you receive such a request, DON’T RESPOND!

How NOT to become a Victim.

Phishing may appear to be an anonymous crime, but it is not a victimless crime. However, we have good news: simple techniques exist to NOT become a Phishing Victim.

Simple Techniques:

Never provide confidential information unless you started the conversation. Never answer an email, pop-up, phone call, letter, etc. that asks for personal information. Legitimate companies do NOT ask for this information, ever!

Be suspicious! Because something is written down in an email or in a pop-up does not mean that it is true and legitimate.

Do not click on a link provided in an email or enter information in a pop-up window. Go to the website yourself and from there navigate to the area of interest.

Use anti-malware solutions that are updated. This will stop the installation of crimeware on your computer that could harvest your information.

Do not use public computers or wireless networks to conduct confidential activities. This includes wi-fi hot spots, kiosk computers, cybercafés.

Shred all documents that contain personal, sensitive or confidential information.

What to do if you have been phished?

If you are a phishing victim, it is important for you to follow these simple instructions to minimize the damage caused by the criminals who stole your information.

Report it!

Place a Fraud Alert on your Credit Report.

Close the accounts that you know, or believe, have been tampered with or opened fraudulently.

File a police report.

File a complaint with the Federal Trade Commission. By sharing your identity theft complaint with the FTC, you will provide important information that can help law enforcement officials across the nation track down identity thieves and stop them. The FTC can refer victims’ complaints to other government agencies and companies for further action, as well as investigate companies for violations of laws the agency enforces.

Monitor your bank accounts, credit card accounts and credit report.

Spotlight on Reporting Action Plan:

Write down the name of everyone you talk to, what he or she tells you, and the date the conversation occurred.

Follow up in writing with all contacts you’ve made on the phone or in person. Use certified mail, return receipt requested, so you can document what the company or organization received and when.

Keep copies of all correspondence or forms you send.

Keep the originals of supporting documents, like police reports and letters to and from creditors; send copies only.

Remember:

If you are a victim of phishing, others in your community will be, too. The sooner you report it, the sooner you can help protect your community against these criminals!

Yup, all of the benefits of SSL for just $5.95/mo!

Why should I get SSL on my website?

Look at the information bellow on how the latest release of the Google Chrome Browser now shows if your website is secure or NOT.

What is a SSL Certificate?

Have you ever noticed how sometimes websites start with “http://” and then sometimes they start with “https://” and have a green padlock nearby? If you have, you’ve seen the end result of an SSL certificate. But what you haven’t seen is what goes on behind the scenes.

SSL stands for Secure Sockets Layer. Essentially, SSL establishes an encrypted link between your web server and your visitor’s web browser. This ensures that all data passed between the two remains private and secure.

With an unsecured HTTP connection, third-parties can snoop on any traffic passing between your reader’s browser and your web server. Obviously, this is a huge issue if you’re passing sensitive information like credit card numbers.

But nowadays, many entities, including Google, are pushing to use secure HTTPS connections for all traffic, even things you might think are mundane.

Why Do You Need an SSL Certificate?

In general the internet is not a very secure place. Google has made the ultimate decision to help force all of us to get more secure with our websites. Starting on January 7th, 2017 Google rolled out an update to their Chrome Web Browser that drastically changes the way your URL shows up in the browser. An added benefit is that Google gives a search engine ranking boost to sites that use SLL. This added benefit alone is good reason to get your site secure.

If your website is not secure, and does NOT have an SSL Certificate this is what it looks like now:

Notice the Circle with the i. This was where your company logo, or Favicon use to show up.

If you click on the i you now get this warning:

You definitely do not want all of your users seeing that in their URL bar…

So, in addition to offering a benefit to your readers by securing their connection, you also have both a Google-provided carrot and stick to motivate you to use an SSL certificate for your site.

Are SSL Certificates Expensive? What Are the Different Kinds?

There are a number of different SSL certificates you can choose from. Each offering various levels of trust.

GlobalSign Extended Validation SSL Certificate ($595/yr)

For example, Maine Hosting Solutions uses GlobalSign Extended Validation SSL Certificate, that’s how we get our company name next to the green padlock. EV SSL Certs are ($595/yr), but come with a $1.25 Million GlobalSign Underwritten Warranty. EV Certs are geared to organizations hat handle a high volume of user input data, user logins, credit card data etc…

GlobalSign DomainSSL Certificate ($175/yr or $14.95.mo)

Anti-Spam Engine uses a GlobalSign DomainSSL to get the green padlock, the level of certificate costs only $175/yr and comes with a $10,000 GlobalSign Underwritten Warranty. DomainSSL certs are geared toward eCommerce websites producing less than $100,000 in online annual sales.

Standard SSL Certificate ($59.95/yr or $5.95/mo)

Notice that Atlantic Limousine uses a Standard SSL Cert, but it looks identical to the more expensive GlobalSign DomainSSL Cert. The difference is that Standard SSL Certs do not have an underwritten warranty. Why? These certs are not for eCommerce sites, or sites that handle sensitive user data. Standard SSL Certs are for sites that need SSL to comply with Google SSL requirements and to aid in SEO Rankings. You an get Standard SSL Certs for just $5.95/mo on any MHS Hosting Plan.

How to Get a SSL Certificate from Maine Hosting Solutions?

If you’re just running a regular WordPress site and aren’t handling any super sensitive information (like credit cards), you can get a Standard DomainSSL Certificate from us for just $5.95/mo.

Wrapping Things Up

Because of how Google is pushing SSL, it’s not something you can ignore. Right now, you’ve got the carrot of improved search rankings. But Google is showing they’re not afraid to use Google Chrome to “punish” sites who don’t move to SSL.

Given that you can now get an inexpensive SSL certificate from Maine Hosting, there’s no reason not to protect your visitors’ connections and boost your search engine rankings in the process.

Who?

Who has to be PCI Compliant?

Everyone who has any contact with credit card information, including websites which automatically transmit credit card data to an authorized gateway must be audited on a yearly basis and must submit PCI compliant quarterly reports.

What?

What is PCI compliance?

It the adherence to the set of rules set forth by Visa, Master Card, American Express and others in the credit card industry.

Their basic goal is for everyone who is accepting credit cards to follow the same set of standards to be sure that credit card information submitted by your client cannot get compromised in the process of handling their transaction with you.

When?

When do I need to be PCI Compliant?

Different merchant providers are implementing PCI Compliance at different times. However, there is no better time to achieve this status, for your OWN Protection. Stolen credit card data can result in the lose of your merchant services, as well as impact your ability to apply for merchant services in the future.